The Four Horsemen of the Apocalypse, Class of 2011: Recreational Hacking

This column looks at the second of the Horsemen: recreational hacking. It’s also known by other more euphemistic names—hacktivism,
electronic civil disobedience, and leaderless resistance. There’s even been a celebrity’s name appropriated to describe the phenomenon…The Streisand Effect.

The previous column in this series—The Four Horsemen of the Apocalypse, Class of 2011: The Cloud—discussed cloud computing and what it means to corporate counsel. This column looks at the second of the Horsemen: recreational hacking. It’s also known by other more euphemistic names—hacktivism, electronic civil disobedience, and leaderless resistance. There’s even been a celebrity’s name appropriated to describe the phenomenon—The Streisand Effect—named in “honor” of Barbra Streisand following her 2003 attempt to suppress online photographs of her residence, only to find that it resulted in even more online exposure when the Internet community saw to it that the photographs went viral.What is recreational hacking? Ever since computers first stored data, digital burglars have hacked into systems to steal commercially valuable data that they then sell to the highest bidder or use for identity theft. Whole industries have emerged to protect data from such threats. So with all this protective innovation, why do we read more about hackers than ever before? Every day there are stories of attacks. (And if you have any doubts about that, subscribe to Westlaw Watch’s Social Media and Cybercrime Reports for a daily eye-opener.)But there is something more sinister lurking in the hacking ecosphere that corporate counsel need to understand and address. Hacking is no longer just for purposes of data thievery or identity theft. It’s now a popular form of online recreation. One of the most alarming trends is hacking for the simple purpose of shutting down corporate sites not for pecuniary gain, but because of ideological or otherwise selfish views, particularly when social media sites like Twitter and Facebook can marshal the support of millions of like-minded hackers in nanoseconds. It all makes it virtually impossible to detect an attack until it is well underway, if not successfully completed.This makes preparation for crisis management before any attacks are made a priority, rather than an “after-the-fact” effort employed by many companies today. A proactive rather than reactive approach is a mandate for corporate counsel. Nor is this crisis-management team comprised of the same members traditionally turned to in the past. While legal and public relations are certainly at the table, today the team needs to include highly trained technology experts. And not just typical IT mavens—they’re important, but they’re not enough. Today, the team needs to include an IT warrior, someone who knows how to go on the attack and use the same sites and methods used by hackers in order to fight them.The IT warrior needs to know how to attack online and offline. Remember, the most important thing to a hacker is anonymity, and a well-timed phone call to their job or residence rains a very cold shower on their personal convictions or vendetta. So is outing their identity on the same sites they use to recruit supporters. There are any number of such consultants that can perform this work, many of them made up of former military intelligence operatives. (Check out Centurion Intelligence Partners, Inc.for one of the best.)It’s no joke. What’s next for corporate counsel to consider—covert operations to rid cyberspace of hacking terrorists? Come to think of it, that’s probably happening right now, given reports that China and North Korea are hacking into just about every “enemy” state systems they can find, in search of data and programming that can give them a competitive or political advantage. It should not have gone unnoticed by anyone that in May 2011, the Pentagon put hacking on the official list of acts of war, allowing the use of military force to counteract it. Imagine that. Conventional weapons vs. viral militia. If I were a betting man, I’d put my money on the militia.Back to the crisis team. The team also needs an “ethical hacker”—someone who knows all the tricks of the trade (wonder how they learned that. . .) and consults with companies on how to prevent and defend against hacker attacks—first through what’s generally known as a penetration test (ouch!) and then through ongoing monitoring. They can also assist the IT warrior in tracking down the hackers. A company may even want to consider an ethical hacker that has been certified by the International Council of E-Commerce Consultants. That’s right. There is a certification program for hackers.The final member of the team needs to be the company’s government-affairs expert: A lobbyist. Because it’s highly likely that any attack that becomes public—and virtually all of them do—may be followed by a Congressional hearing to determine what went wrong (adding more headaches to the class action lawsuits that will most assuredly follow any hacking attack as well). Not that Congress will come up with anything to help, but we all know how much they love to have hearings.No company is immune. According to a June 2011 survey by the Ponemon Institute, 90 percent of 583 companies polled reported that they suffered a security breach by hackers at least once in the past year. Companies like Citigroup, Nintendo, Google, PBS, Lockheed, Fox Broadcasting, and Sony Online Entertainment have been hit. Hackers even like to brand themselves, proud of their successes. Three of the most notorious are Aurora, Anonymous, and LulzSec. There is even an online newspaper—The Hacker News—devoted to keeping everyone (including hackers) up to date on the hacking news of the day.Today, it’s not a matter of if a company will be victimized by a hacker. As the infatuation with recreational hacking grows and the market value of data—sold or interrupted— skyrockets, corporate counsel need to recognize that it’s a matter of when, and their companies must prepare nowfor the worst.Here are some steps corporate counsel can take:

1. Check the company’s security systems. Chances are, they’re not state of the art. Considering the potential damage a successful hacker attack can cause, only the best system will do.

2. Retain an ethical hacker, and perform a penetration test.

3. Assemble a crisis-management team that includes your legal, public relations, and government-affairs departments, along with an IT warrior. Hold simulations.

4. Audit the company’s data security policies. Consider strong language addressed to employees and site visitors that there is NO expectation of privacy, and that despite every effort the company makes, data may be breached. Even consider disclaiming liability should a breach occur. That may not get a company off the hook, but it’s at least something to hang onto in a defense rather than hanging the company.

We’ve now covered two of the Four Horsemen of the Apocalypse, Class of 2011: the Cloud and Recreational Hacking. Next we’ll take a look at Horseman number three: IP v.6, the new operating protocol for the Internet. It’s here. And while it may make the Internet more stable, it’s a source of nightmares for corporate counsel. From there, we’ll conclude the series with a final column on Horseman number four: the possible arrival in 2012 of hundreds of new top level domains( the word to the right of the dot, e.g., “.com” in “reedsmith.com.”)

Now that is a real nightmare!

Douglas Wood is a partner in the New York office of of Reed Smith LLP. He specializes in media and entertainment law and is editor of Network Interference—a Legal Guide to the Commercial Risks and Rewards of the Social Media Phenomenon, a White Paper on how social media globally impacts every level of business. The White Paper is available here.